Private data: are you decent?

Page Tools

With assets of more than US$215 billion, Bank of America is the
third largest bank in the US and a massive repository of consumer
data. This made it particularly big news when, in February, the
company lost backup tapes containing detailed financial information
about an estimated 1.2 million customers of the US Federal
Governments SmartPay credit assistance program.

Less financially concerning but equally notorious was the recent
security breach at service provider T-Mobile, whose shortcomings
let hackers steal the personal information of more than 600 friends
of socialite Paris Hilton.

One loss was physical, the other logical - but both underscore
the importance of data privacy to companies managing personal
information about their customers. When that privacy is breached,
the potential consequences run far deeper than simple embarrassment
or lost contracts: with information privacy a legislative mandate
thanks to the expanded scope of Australias Privacy Act 1988,
companies can be found liable if their privacy policies - or the
security tools to enforce them - are found to be deficient.

Introduced in late 2001, the regulations require that private
companies, like previously-regulated government departments,
subscribe to an industry-specific code of practice or a generic set
of 10 National Privacy Principles (NPPs) that direct the handling
of data from its collection and storage to its reuse and
disposal.

To meet the NPPs companies must design their information systems
with enough internal controls to preserve the integrity and
security of collected personal information. This challenge has
become particularly pointed given that current wisdom in
information systems design advocates centralisation of data to
improve its quality, consistency, and ease of use. Centralisation
does all this, but it also turns ever-expanding databases into
potential privacy trouble spots.

Secure by design
The need for privacy was never far from the thoughts of project
managers at Toowoomba, Queensland-based Heritage Building Society -
Australias largest building society - which recently
modernised ageing document handling processes that threatened to
hobble the companys goal of increasing mortgage lending
volumes by 370 per cent over four years.

With many processes still based entirely on paper files, meeting
that volume would have required unsustainable increases in staff
numbers using previous methods. Heritage took the plunge,
completely redesigning its internal workflow and implementing a
suite of FileNet applications that has automated the capture,
internal flow and archiving of more than 7.5 million critical
internal documents and images.

From an ROI perspective, the companys investment has paid
off: efficiency has increased by more than two-thirds, while
Heritage has halved the cost of its internal processes, allowing it
to support its rapid growth in transaction volumes without
increasing staff numbers.

Subject to a litany of regulatory guidelines, continuous
auditing requirements and, in recent years, statutory requirements
for information privacy Heritage has been forced to ensure that
every aspect of its IT-driven change falls squarely on the cautious
side. "We identified security as an important issue early in the
project," says John Williams, head of technology and payment
systems with Heritage.

"It was always part of the design throughout the project, and
that made it easier to implement because it was at the forefront of
our minds."

Heritage employs a privacy officer to monitor the companys
privacy controls. Employees are continually trained and reminded
about the need to preserve customer privacy, and the company has
set up contact channels for employees to report suspected privacy
breaches. There are also technological protections, ranging from a
layered network security infrastructure to write-protection of
documents upon creation. Granular usage logging, built right into
the FileNet suite, ensures that Heritage has a record of each and
every time an employee accesses any of its documents.

"Information security is paramount where these sorts of
regulatory and privacy issues must be addressed," Williams says.
"We do store a lot of information about our members, and we make
sure weve got the right access controls so only the
appropriate people can access information. As the technology
distribution in most organisations becomes more prevalent,
its an increasing focus for us to be able to provide privacy
and security of information for our members."

The layered approach
Growing awareness of privacy imperatives and the general need for
security have driven many companies to explore the ways in which
layers of security technology can support policies around privacy
and other governance requirements.

Long the favourite of remote workers wanting to connect to the
network over the internet, virtual private networks (VPNs) have
become a popular way of increasing control over access to company
networks. Because VPN servers always require remote users to be
authenticated before letting them pass onto the network, they can
be instrumental in defining the terms of engagement: certain users
can, for example, be barred from accessing data stored on
particular parts of the network.

VPN servers also keep detailed usage logs, providing another
layer of control over information access and helping ensure that
any privacy breaches can be quickly traced back to their
perpetrator.

Health food maker Sanitarium used the VPN approach when it
recently upgraded its remote access environment to allow some 150
travelling users to log onto the network while in the field.
Previously limited by banks of slow modems at Sanitariums 11
offices, internet-connected remote users got a much more capable
and flexible method of access using the encrypted VPN.

To further ensure the integrity of its networked information
resources, Sanitarium also deployed RSA SecurID hardware tokens to
ensure incoming users are who they say they are. Such technologies
provide far better control than simple user ID-password
combinations, which in turn increases the perceived reliability of
network privacy controls.

"We have a corporate privacy policy, which has a section
relating to computer networks and information stored on those
networks," says Dr Kevin Wallace, IT infrastructure services
manager with Sanitarium. "We use the VPN policy to help ensure that
the privacy policy is adhered to. We know how users come in, what
level of access they have to corporate data, and we can manage that
centrally. It adds a degree of certainty over who is accessing the
data."

Another technique for controlling access to sensitive
information is to shift access away from the companys core
servers by using web-based rather than full client/server
applications. In this way, users arent actually connected
directly onto the network, but only interact with a web server
living at the edge of the network - which in turn acts as a
go-between to link the user with the applications running inside
the companys network.

Beyond the network
But what happens when the information in question is already
outside the network? With the proliferation of wireless and mobile
devices, this issue has come to the fore in recent years -
particularly given the results of a recent global Pointsec survey
of taxi companies that found mobile devices are being lost in
epidemic numbers.

During the second half of 2004, in Sydney alone, taxi drivers
reported finding 13,280 mobile phones, 1,725 pocket PCs and 977
notebook PCs. Worse still, only 46 per cent of mobile phone owners
and just 18 per cent of notebook owners ever saw their lost
valuables again.

It may be interesting trivia to most, but such results will send
shivers down the spine of any IT executive charged with ensuring
the integrity and security of their companys critical
information. Mobile devices have their role in many companies, but
they present potentially major problems in a regulatory environment
where increasing scrutiny of corporate governance has tightened the
screws on information management policies. Here, centralisation of
data and the dumbing-down of client devices may prove invaluable to
rein in potentially catastrophic loss of customer data in the
field.

Other risks exposed How much security is enough? "It all comes
back to your risk analysis," says Williams. "If you assess the
risks [of any new project] appropriately, and apply the right
control measures to limit risk to acceptable levels, you should be
satisfied."

High-level risk management, however, can be difficult in large
organisations with many different types of potential exposures.
Business structures rarely map cleanly onto the typical
companys decentralised information environment, which can
make it difficult to enforce rigorous technological controls over
the use of customer information.

That information spends much of its time split between
databases, printed out on pages sitting unprotected on desks,
copied onto memory keys for use during late-night work, or exposed,
unencrypted, on a notebook PC. There are also new and poorly
understood risks associated with technologies such as voice over IP
(VoIP), whose data-based design could make it another potential
source of security breaches unless managed appropriately.

Integrity of privacy controls often suffers from endemic
political infighting and issues over data ownership and conflicting
business priorities. While the board may recognise the legislative
requirement for information privacy, the IT department must balance
the restrictions of security tools against the practical efficiency
requirements of the workforce. Adding a further wrinkle, the
companys marketing organisation may argue for freer access to
customer information in order to drive more aggressive
customer-focused campaigns.

"Theres a dynamic tension that exists," says Steve
Bittinger, research director with Gartner Pacific. "Privacy,
security and customer relationship management are all important,
and the picture is changing constantly as a result of changes in
technology that allow us to create new security and privacy
mechanisms."

Such mechanisms need to be well documented, accountable and
effective - but they dont necessarily need to be a burden for
companies. Rather, Bittinger says, the right balance can actually
become a business asset by increasing customers perception of
a company as being trustworthy.

"You can start to consciously build up your trust with your
customers, and build a relationship thats based on excellence
of security and how you handle customer information and privacy,"
he explains. "Increasing trust is like reducing friction in the
system." For companies finding information management to be
anything less than smooth, that benefit alone justifies taking a
new look at how more appropriate security can better support
privacy requirements.

These include: Principle 1 - Collection: Only collect personal
information that is necessary. Let customers know what youve
collected and why. Principle 2 - Use and disclosure: Dont
disclose personal information except in certain circumstances
including some direct marketing, imminent health or safety threat,
exposure of unlawful activity and others. Principle 3 - Data
quality: Take "reasonable steps" to ensure personal information is
complete, accurate and up to date. Principle 4 - Data security:
Protect personal information from unauthorised access and misuse,
modification or disclosure. Principle 5 - Openness: Author a formal
policy on information management, and allow customers to know what
information you hold on them if they so request. Principle 6 -
Access and correction: Customers must be able to access the
information you hold on them, and arrange for correction of
incorrect details. Principle 7 - Identifiers: Use your own
identifiers when managing personal information. Principle 8 -
Anonymity: Wherever possible, give individuals the option of not
identifying themselves when dealing with your company. Principle 9
- Transborder data flows: Data may only be transferred outside the
country if the recipient follows similar privacy guidelines, the
individual consents to the transfer, or certain other
circumstances. Principle 10 - Sensitive information: Sets terms
under which a company can collect sensitive information about
individuals.